You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Roy van der Valk <ro...@gmail.com> on 2018/06/01 17:21:05 UTC
Custom AuthenticateCallbackHandler
Dear Kafka community,
Can somebody help me setting up a custom AuthenticateCallbackHandler as
described in KIP-86 recently added by Rajini Sivaram or point me to good
documentation?
I described my question in more detail on Stackoverflow:
https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler
All help is greatly appreciated!
Roy
Re: Custom AuthenticateCallbackHandler
Posted by Martin Gainty <mg...@hotmail.com>.
________________________________
From: Roy van der Valk <ro...@gmail.com>
Sent: Friday, June 1, 2018 6:59 PM
To: users@kafka.apache.org
Subject: Re: Custom AuthenticateCallbackHandler
No I want to check plain user credentials for authentication against an external system. Where best to plug in this check. I thought the new AuthenticateCallbackHandler would be convenient, but I am very much in doubt if this is the right way. It is also not clear for me from the docs how to implement this.
Please see my stackoverflow question for a minimal test setup which I try to get working.
https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler
[https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-icon@2.png?v=73d79a89bded]<https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler>
jaas - Kafka custom AuthenticateCallbackHandler - Stack ...<https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler>
stackoverflow.com
I tried to implement a AuthenticateCallbackHandler ready to be released in Kafka 2.0.0 to no avail - is this a setup in which it should work? On https://cwiki.apache.org/confluence/display/KAFKA/K...
MG>assuming:
MG>LoginType.SERVER(JaasUtils.LOGIN_CONTEXT_SERVER);
MG>public static final String LOGIN_CONTEXT_SERVER = "KafkaServer";
MG>private static final String JAAS_USER_PREFIX = "user_";
MG>failure happens at PlainSaslServer#evaluateResponse with:
MG>Authentication failed: Invalid username or password
MG>here is the code:
String expectedPassword = JaasUtils.jaasConfig(
LoginType.SERVER.contextName(), //KafkaServer
JAAS_USER_PREFIX //user_
+ username); //username you supplied
if (!password.equals(expectedPassword)) {
throw new SaslException("Authentication failed: Invalid username or password");
}
MG>loginContextName and key used for lookup
MG>loginContextName entries are not null
MG>but supplied key misses on lookup
/**
* Construct a JAAS configuration object per kafka jaas configuration file
* @param loginContextName
* @param key
* @return JAAS configuration object
*/
public static String jaasConfig(String loginContextName, String key) throws IOException {
AppConfigurationEntry[] configurationEntries = Configuration.getConfiguration().getAppConfigurationEntry(loginContextName);
if (configurationEntries == null) {
MG>this is bypassed because your populated context is not null
String errorMessage = "Could not find a '" + loginContextName + "' entry in this configuration.";
throw new IOException(errorMessage);
}
for (AppConfigurationEntry entry: configurationEntries) {
Object val = entry.getOptions().get(key);
if (val != null)
return (String) val;
}
return null;
}
MG>so JAAS password where expected_password= user_admin
MG>but your password where expected_password = user_test
MG>any reason you need to implement username/password test/test instead of admin/admin ?
Any help/pointers/examples is much appreciated!
> Op 1 jun. 2018 om 21:05 heeft Martin Gainty <mg...@hotmail.com> het volgende geschreven:
>
> are you referring to onCompleteCallback from
>
> https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58
>
> [https://avatars2.githubusercontent.com/u/14958864?s=200&v=4]<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
>
> KAFKA-6927; Chunked down-conversion to prevent out of memory errors o… · apache/kafka@837f31d<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
> github.com
> …n broker [KIP-283] (#4871) Implementation for lazy down-conversion in a chunked manner for efficient memory usage during down-conversion. This pull request is mainly to get initial feedback on th...
>
>
>
>
> ?
>
> Martin
> _____________________________
>
>
>
> ________________________________
> From: Roy van der Valk <ro...@gmail.com>
> Sent: Friday, June 1, 2018 2:28 PM
> To: users@kafka.apache.org
> Subject: Re: Custom AuthenticateCallbackHandler
>
> Thank you Manikumar!
>
>> On Fri, Jun 1, 2018 at 7:30 PM, Manikumar <ma...@gmail.com> wrote:
>>
>> This feature will be part upcoming Kafka 2.0.0 release.
>>
>> Doc PR is here : https://github.com/apache/kafka/pull/4890
> [https://avatars2.githubusercontent.com/u/13164074?s=400&v=4]<https://github.com/apache/kafka/pull/4890>
>
> KAFKA-6800: Update SASL/PLAIN and SCRAM docs to use KIP-86 callbacks by rajinisivaram · Pull Request #4890 · apache/kafka<https://github.com/apache/kafka/pull/4890>
> github.com
> Committer Checklist (excluded from commit message) Verify design and implementation Verify test coverage and CI build status Verify documentation (including upgrade notes)
>
>
>
>>
>> configs here:
>> https://github.com/apache/kafka/blob/trunk/clients/src/
>> main/java/org/apache/kafka/common/config/SaslConfigs.java#L57
>>
>> On Fri, Jun 1, 2018 at 10:51 PM, Roy van der Valk <
>> roy.van.der.valk@gmail.com> wrote:
>>
>>> Dear Kafka community,
>>>
>>> Can somebody help me setting up a custom AuthenticateCallbackHandler as
>>> described in KIP-86 recently added by Rajini Sivaram or point me to good
>>> documentation?
>>>
>>> I described my question in more detail on Stackoverflow:
>>> https://stackoverflow.com/questions/50412589/kafka-custom-
>>> authenticatecallbackhandler
>>>
>>> All help is greatly appreciated!
>>>
>>> Roy
>>>
>>
Re: Custom AuthenticateCallbackHandler
Posted by Roy van der Valk <ro...@gmail.com>.
No I want to check plain user credentials for authentication against an external system. Where best to plug in this check. I thought the new AuthenticateCallbackHandler would be convenient, but I am very much in doubt if this is the right way. It is also not clear for me from the docs how to implement this.
Please see my stackoverflow question for a minimal test setup which I try to get working.
https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler
Any help/pointers/examples is much appreciated!
> Op 1 jun. 2018 om 21:05 heeft Martin Gainty <mg...@hotmail.com> het volgende geschreven:
>
> are you referring to onCompleteCallback from
>
> https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58
>
> [https://avatars2.githubusercontent.com/u/14958864?s=200&v=4]<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
>
> KAFKA-6927; Chunked down-conversion to prevent out of memory errors o… · apache/kafka@837f31d<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
> github.com
> …n broker [KIP-283] (#4871) Implementation for lazy down-conversion in a chunked manner for efficient memory usage during down-conversion. This pull request is mainly to get initial feedback on th...
>
>
>
>
> ?
>
> Martin
> _____________________________
>
>
>
> ________________________________
> From: Roy van der Valk <ro...@gmail.com>
> Sent: Friday, June 1, 2018 2:28 PM
> To: users@kafka.apache.org
> Subject: Re: Custom AuthenticateCallbackHandler
>
> Thank you Manikumar!
>
>> On Fri, Jun 1, 2018 at 7:30 PM, Manikumar <ma...@gmail.com> wrote:
>>
>> This feature will be part upcoming Kafka 2.0.0 release.
>>
>> Doc PR is here : https://github.com/apache/kafka/pull/4890
> [https://avatars2.githubusercontent.com/u/13164074?s=400&v=4]<https://github.com/apache/kafka/pull/4890>
>
> KAFKA-6800: Update SASL/PLAIN and SCRAM docs to use KIP-86 callbacks by rajinisivaram · Pull Request #4890 · apache/kafka<https://github.com/apache/kafka/pull/4890>
> github.com
> Committer Checklist (excluded from commit message) Verify design and implementation Verify test coverage and CI build status Verify documentation (including upgrade notes)
>
>
>
>>
>> configs here:
>> https://github.com/apache/kafka/blob/trunk/clients/src/
>> main/java/org/apache/kafka/common/config/SaslConfigs.java#L57
>>
>> On Fri, Jun 1, 2018 at 10:51 PM, Roy van der Valk <
>> roy.van.der.valk@gmail.com> wrote:
>>
>>> Dear Kafka community,
>>>
>>> Can somebody help me setting up a custom AuthenticateCallbackHandler as
>>> described in KIP-86 recently added by Rajini Sivaram or point me to good
>>> documentation?
>>>
>>> I described my question in more detail on Stackoverflow:
>>> https://stackoverflow.com/questions/50412589/kafka-custom-
>>> authenticatecallbackhandler
>>>
>>> All help is greatly appreciated!
>>>
>>> Roy
>>>
>>
Re: Custom AuthenticateCallbackHandler
Posted by Martin Gainty <mg...@hotmail.com>.
are you referring to onCompleteCallback from
https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58
[https://avatars2.githubusercontent.com/u/14958864?s=200&v=4]<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
KAFKA-6927; Chunked down-conversion to prevent out of memory errors o… · apache/kafka@837f31d<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
github.com
…n broker [KIP-283] (#4871) Implementation for lazy down-conversion in a chunked manner for efficient memory usage during down-conversion. This pull request is mainly to get initial feedback on th...
?
Martin
_____________________________
________________________________
From: Roy van der Valk <ro...@gmail.com>
Sent: Friday, June 1, 2018 2:28 PM
To: users@kafka.apache.org
Subject: Re: Custom AuthenticateCallbackHandler
Thank you Manikumar!
On Fri, Jun 1, 2018 at 7:30 PM, Manikumar <ma...@gmail.com> wrote:
> This feature will be part upcoming Kafka 2.0.0 release.
>
> Doc PR is here : https://github.com/apache/kafka/pull/4890
[https://avatars2.githubusercontent.com/u/13164074?s=400&v=4]<https://github.com/apache/kafka/pull/4890>
KAFKA-6800: Update SASL/PLAIN and SCRAM docs to use KIP-86 callbacks by rajinisivaram · Pull Request #4890 · apache/kafka<https://github.com/apache/kafka/pull/4890>
github.com
Committer Checklist (excluded from commit message) Verify design and implementation Verify test coverage and CI build status Verify documentation (including upgrade notes)
>
> configs here:
> https://github.com/apache/kafka/blob/trunk/clients/src/
> main/java/org/apache/kafka/common/config/SaslConfigs.java#L57
>
> On Fri, Jun 1, 2018 at 10:51 PM, Roy van der Valk <
> roy.van.der.valk@gmail.com> wrote:
>
> > Dear Kafka community,
> >
> > Can somebody help me setting up a custom AuthenticateCallbackHandler as
> > described in KIP-86 recently added by Rajini Sivaram or point me to good
> > documentation?
> >
> > I described my question in more detail on Stackoverflow:
> > https://stackoverflow.com/questions/50412589/kafka-custom-
> > authenticatecallbackhandler
> >
> > All help is greatly appreciated!
> >
> > Roy
> >
>
Re: Custom AuthenticateCallbackHandler
Posted by Roy van der Valk <ro...@gmail.com>.
Thank you Manikumar!
On Fri, Jun 1, 2018 at 7:30 PM, Manikumar <ma...@gmail.com> wrote:
> This feature will be part upcoming Kafka 2.0.0 release.
>
> Doc PR is here : https://github.com/apache/kafka/pull/4890
>
> configs here:
> https://github.com/apache/kafka/blob/trunk/clients/src/
> main/java/org/apache/kafka/common/config/SaslConfigs.java#L57
>
> On Fri, Jun 1, 2018 at 10:51 PM, Roy van der Valk <
> roy.van.der.valk@gmail.com> wrote:
>
> > Dear Kafka community,
> >
> > Can somebody help me setting up a custom AuthenticateCallbackHandler as
> > described in KIP-86 recently added by Rajini Sivaram or point me to good
> > documentation?
> >
> > I described my question in more detail on Stackoverflow:
> > https://stackoverflow.com/questions/50412589/kafka-custom-
> > authenticatecallbackhandler
> >
> > All help is greatly appreciated!
> >
> > Roy
> >
>
Re: Custom AuthenticateCallbackHandler
Posted by Manikumar <ma...@gmail.com>.
This feature will be part upcoming Kafka 2.0.0 release.
Doc PR is here : https://github.com/apache/kafka/pull/4890
configs here:
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java#L57
On Fri, Jun 1, 2018 at 10:51 PM, Roy van der Valk <
roy.van.der.valk@gmail.com> wrote:
> Dear Kafka community,
>
> Can somebody help me setting up a custom AuthenticateCallbackHandler as
> described in KIP-86 recently added by Rajini Sivaram or point me to good
> documentation?
>
> I described my question in more detail on Stackoverflow:
> https://stackoverflow.com/questions/50412589/kafka-custom-
> authenticatecallbackhandler
>
> All help is greatly appreciated!
>
> Roy
>